Hello and welcome to the Thursday, June 22nd, 2003 edition of the Sands and the Storms and a storm

soundest Stormcast. My name is Johannes Ulrich and I'm recording from Stockholm, Germany.

We have observed in the past that a number of YouTube pages that at least at one point had a

significant number of subscribers

were all for a sudden taken over by crypto coin scams. Most recently, one of the probably

biggest creators on YouTube Linus Tech Tips was also the victim of a scam where a phishing email was used in order to

break in to their YouTube account and then replace it again with crypto coin scams.

So with all that, thanks to Kevin, a listener who forwarded us a sparefishing email that specifically targeted creators

like that.

In this particular example, the attacker is impersonating NordVPN.

You probably noticed a lot of YouTube creators are being sponsored by VPN providers, so

receiving an email from NordVPN, offering a sponsorship deal, may sound something plausible.

And they did a decent job in impersonating NordVPN.

They even went as far as registering a domain, NordVPN-media.com. And the recipient of the email is then enticed into

downloading a rar file that turns out, of course, to be Malver. And if the victim installs the

malware, well, apparently it's an info stealer, so that could then be used to, for example,

exfiltrate passwords or other credentials being used by the victim.

There is some evidence that suggests that the attacker here is Russian based on some Russian text snippets being used in email,

and also services like Mail.ru being used by

this particular attacker. And for more details, We Ching did a great job analyzing this particular

email and walking you through some of the different features, some of the obfuscations being used

and the exact chain that then in the end leads to installing the InfoSteeler.

...